A3.1.3 PCI DSS compliance roles and responsibilities are specifically defined and formally assigned to one or more personnel, including:

Defined Approach Requirements

A3.1.3 PCI DSS compliance roles and responsibilities are specifically defined and formally assigned to one or more personnel, including:

• Managing PCI DSS business-as-usual activities.
• Managing annual PCI DSS assessments.
• Managing continuous validation of PCI DSS requirements (for example, daily, weekly, every three months, as applicable per the requirement).
• Managing business-impact analysis to determine potential PCI DSS impacts for strategic business decisions.

PCI DSS Reference: Requirement 12

Customized Approach Objective

This requirement is not eligible for the customized approach.

Defined Approach Testing Procedures

A3.1.3.a Examine information security policies and procedures and interview personnel to verify that PCI DSS compliance roles and responsibilities are specifically defined and formally assigned to one or more personnel in accordance with all elements of this requirement.

A3.1.3.b Interview responsible personnel and verify they are familiar with and performing their designated PCI DSS compliance responsibilities.

Purpose

The formal definition of specific PCI DSS compliance roles and responsibilities helps to ensure accountability and monitoring of ongoing PCI DSS compliance efforts.

Good Practice

Ownership should be assigned to individuals with the authority to make risk-based decisions, and upon whom accountability rests for the specific function. Duties should be formally defined, and owners should be able to demonstrate an understanding of their responsibilities and accountability.

Compliance roles may be assigned to a single owner or multiple owners for different requirement elements.